Consrv.dll removal?

Hi people,

My name is Dimitrij and I urgently need help, since i really tryed out everything what I personally can. I have Kaspersky and Malware both identifying the C:\Windows\system32\consrv.dll virus.

So it’s exactly the same problem as “lightblack” posted in the following thread : http://forum.avast.com/index.php?topic=94872.0.

Like i understand you managed to help him and i really hope that you can also help me in this case.

Best regards

Dimitrij

follow the guide here and attach the logs requested
http://forum.avast.com/index.php?topic=53253.0

All steps done i think like instructed in your guide.

Before Kaspersky started to work on it, Malware identifyed “consrv.dll”

best regards.

Hi Damier, welcome to the forum.

To make cleaning this machine easier
[*]Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
[*]Please do not run any scans other than those requested
[*]Please follow all instructions in the order posted
[*]All logs/reports, etc… must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
[*]Do not attach any logs/reports, etc… unless specifically requested to do so.
[*]If you have problems with or do not understand the instructions, Please ask before continuing.
[*]Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

This may take a few run so please be patient.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Right click on ComboFix.exe, click Run as Administrator & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you – please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Thanks

Hi oldman,

Done as specified ( hopefully ).

*Edit : Kaspersky complains that it can’t work on a problem because of missing identifyed file : Maybe a progress? :slight_smile:

Hi Damier,

Looks good so far.

[QUOTE]Kaspersky complains that it can’t work on a problem because of missing identifyed file : Maybe a progress?
[/quote]
What’s the name of the file(s)?

uTorrent
You have LimeWire, a P2P/file sharing program installed on your computer. P2P applications like it are the largest source of malware we see. It’s not the program itself that is the problem but what can be downloade with it usually from an unknown source. You’ll be doing yourself a favor by removing it.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun…protection.mspx

http://www.internetworldstats.com/articles/art053.htm://http://www.techweb.com/wire/1605005…cles/art053.htm

I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Next

[*]Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, underneath Output at the top change it to Minimal Output
[*]check the box beside scan all users
[*]UNCheck the boxes beside LOP Check and Purity Check.
[*]In the window under Custom Scans/Fixes copy and paste the following


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems /s
/md5start
consrv.dll
/md5stop

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open a notepad window. OTL.Txt no Extras.Txt this tme.

Please post back with
[*]OTL.txt

Hey Oldman,

Utorrent deleted. Don’t even remember why i had it in on my comp. Can’t get the point of the lime wire p2p. Is it included in utorrent - cuz if not - you might maybe confuse it with ESL Wire ? It’s an anti cheat tool of an online league.

OTL is attached.

Best regards

Dimitrij

*Edit Name of the File was like already mentioned : consrv.dll in the System32 folder. He was in an delete / restart loop, since it always recovered itself. Since the last restart he complains about the missing file consrv.dll because it always tryed to delete it after restart and still had the task progressing. Last time he wanted to work on that was today morning before i went through all your steps with combofix. Afterwards he started to say missing file. ( with he i mean Kaspersky anti cheat )

Hi Damier,

Sorry about the confusion regarding Limewire, my fault I forgot to change it to uTorrent.

Log looks good, no sign of consrv.dll.

Your java is out of date. Click your start button > Control Panel
[*]Use the drop down menu beside view by and change it to small icons
[*]locate java (32bit) in the list and click on it
[*]when the java console opens click the update tab
[*]Click update now

Next

Double click on OTL.exe
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
[*]Do Not copy the word CODE
[*]please note the fix starts with the :



:Services

:Files
ipconfig /flushdns /c
dir C:\Users\Nutzer\AppData\Local\54822f53\*.* /s /c

:Commands
[emptytemp]
[createrestorepoint]

Then click the Run Fix button at the top

[*]Let the program run unhindered
[*]Please save the resulting log to be posted in your next reply.
Please post the OTL log and a new HJT log.

Any problems?

Hey!

Java updated.

New OTL log attached. What is HJT ?

regards

Dimitrij

What is HJT ?
Hijack This ( http://free.antivirus.com/hijackthis/ )

not sure, but i think that was a typo…as i dont think he use it since he use OTL

HTJ file.

Done with HJT 2.04

Hi Damier,

Pondus is right, HJT shouldn’t have been there. I was redoing a bunch of my canneds to use on this forum, I guess I didn’t quite get them edited the way they should be.

C:\Users\Nutzer\AppData\Local\54822f53

That folder is empty, you can delete it if you want to.

Everything looks good so if no problems we’ll remove the tools.

From your desktop, please delete, if present
[]any notepads/logs that we created
[
]aswMBR
[*]mbr.dat

Next

Click the Start button,in the search box type Run. At the top click run

Copy and paste the following line into the run box and click OK

Combofix /uninstall

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

I suggest you keep MBAM. Keep it updated and use it regularly.

Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. You have those all ready.

You should also use Spyware Blaster to help immunize your computer.

  • SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS

Please read the info on disabling the DNS Client before installing a custom hosts file.

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.
[*]Click once on the Security tab
[*]Click once on the Internet icon so it becomes highlighted.
[*]Click once on the Custom Level button.
[*]Change the Download signed ActiveX controls to Prompt
[*]Change the Download unsigned ActiveX controls to Disable
[*]Change the Initialize and script ActiveX controls not marked as safe to Disable
[*]Change the Installation of desktop items to Prompt
[*]Change the Launching programs and files in an IFRAME to Prompt
[*]Change the Navigate sub-frames across different domains to Prompt
[*]When all these settings have been made, click on the OK button.
[*]If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

  • Make sure you have reset Automatic Updates to your chosen option Click your start button > Control Panel > System and Security > Windows Updates > change settings

  • Keep your antivirus program updated, as well as any other security programs you have.

-More tips and programs can be found HERE

Please post back if you have any problems.

Hey Oldman.

When i click on start and type in run he just show’s me all files and folders including “run”. So i don’t get really what i have to do. I guess it’s because of the german Windows.

Hi Damier,

After you type run, click on the run that appears at the top of the list. a run box should appear.